Malaysia: Bank Negara Malaysia issues Policy Document on Merchant Acquiring Services

In brief

Following the issuance of the Exposure Draft of Merchant Acquiring Services Policy Document on 17 July 2020 ("MAS Exposure Draft") (click here for our client alert on the MAS Exposure Draft), Bank Negara Malaysia (BNM) has now issued the final Policy Document on Merchant Acquiring Services on 15 September 2021 ("MAS Policy Document").

The MAS Policy Document focuses on risk management and applies to Qualified Acquirers (defined below). Requirements in relation to minimum capital, governance, operations (e.g., merchant management and outsourcing), information technology and reporting obligations have been introduced. These measures are designed to enhance BNM's supervision and regulation of Qualified Acquirers.


Contents

Key Takeaways

  1. The MAS Policy Document only applies to a person registered with BNM to provide merchant acquiring services (including an e-money issuer that conducts merchant acquiring services for its own e-money scheme) and fulfils the following criteria ("Qualified Acquirers"):
    1. enters into a contract with merchant(s), which results in a transfer of funds to the merchant(s) by: (i) conducting or being responsible for fund settlement; or (ii) issuing fund settlement instructions;
    2. facilitates the merchant's acceptance of payment instruments; and
    3. is a direct participant of payment instrument network(s) to provide merchant acquiring services.
  2. The key changes in the MAS Policy Document from the MAS Exposure Draft include the following:
    1. removal of specific fit and proper criteria for key responsible persons of Qualified Acquirers (although Qualified Acquirers must still establish a robust governance framework for its board of directors and senior management) and the shareholder sustainability requirements;
    2. removal of the requirement to ensure that there is no exclusivity in the use of payment terminals / devices to support only a specific payment network or instrument; and
    3. enhancements to the requirements on business continuity management and outsourcing.
  3. The MAS Policy Document will have a material impact on Qualified Acquirers, as they:
    1. will need to implement or materially enhance among others, their existing governance policies, risk management framework, merchant acquisition and monitoring system, settlement system, outsourcing procedures / arrangements, business continuity management and IT systems; and
    2. will be exposed to increased liabilities to provide funds settlement to merchants if the issuer, payment facilitator, or any other parties involved in the handling of the settlement funds fail to fulfil its settlement obligations.
  4. Other participants in the payment industry and persons who deal with Qualified Acquirers (including outsourced parties) will also be affected, as these obligations will likely be passed on by the Qualified Acquirers to these third parties.
  5. The MAS Policy Document will come into effect on 15 March 2022, except in respect of non-bank Qualified Acquirers, the information technology requirements will come into effect on 15 September 2022 and the minimum capital requirements will come into effect on 15 September 2023. Given the scale and materiality of the requirements, Qualified Acquirers should immediately conduct a gap analysis on their existing systems and arrangements and implement steps to comply with the MAS Policy Document.

In more detail

Some of the key requirements and standards are set out below.

No.

Subject

Key Requirements and Standards

1.

Minimum Capital Requirements for Non-Bank Qualified Acquirers

  • RM 1 million for large non-bank Qualified Acquirers (i.e., Qualified Acquirers with an actual or projected amount of average monthly transaction value of more than RM 10 million).
  • RM 300,000 for small non-bank Qualified Acquirers.
2.

Settlement Risk Management

  • Merchant settlement funds must be deposited into a dedicated account with a licensed bank or prescribed institution.
  • Where settlement to small and medium enterprise (SME) merchants takes more than two (2) working days upon receipt of funds from payment instrument network, either: (a) place the settlement funds in a trust account; (b) adopt direct settlement method to merchants; or (c) secure a bank guarantee on outstanding settlement fund.
  • Qualified Acquirers must settle the funds to merchants if the issuer, payment facilitator or any other parties involved in the handling of the settlement funds fail to fulfil its settlement obligations.
3.

Dealings with Merchants and Other Parties Who May Expose Merchants to Payment and/or Settlement Risks ("Payment Parties")

  • Conduct due diligence when onboarding merchants.
  • Ensure that Payment Parties have adequate operational and risk management policies and procedures in place.
  • Effectively monitor the activities of merchants and Payment Parties.
  • Establish rules and procedures on liability management, chargeback and dispute resolution.
  • Ensure that withholding of funds from the merchants is fair and not detrimental to the merchants.
4.

Outsourcing Arrangements

  • Enhanced corporate governance, administrative, legal and operational requirements on outsourcing arrangements (e.g., due diligence, board approval, specific terms on outsourcing agreements).
  • Outsourcing agreements with IT related third party service provider must contain arrangements for disaster recovery and backup capability, IT system availability and oblige the service provider to provide sufficient notice before undertaking changes that may impact IT systems and to facilitate updates to BNM on cyber-incidents.
5.

Business Continuity Management

  • Ensure adequate resources and capacity to deliver consistently reliable and secure services.
  • Undertake structured risk assessment and develop effective business continuity plan and disaster recovery plan.
6.

Information Technology Requirements

  • Establish Technology Risk Management Framework, Cyber Resilience Framework, control procedures for data centre operations, comprehensive cyber crisis management policies and procedures, technology audit plan and other policies and procedures.
  • Ensure network services supporting IT systems are designed and implemented to ensure confidentiality, integrity and availability of data
  • Implement access control policy for identification, authentication and authorization of users.
  • Provide adequate and regular technology and cybersecurity awareness education to all staff.

 

LOGO Malaysia_Wong & Partners_KualaLumpur

This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner or equivalent in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome. 

Contact Information

© 2021 Baker & McKenzie. Ownership: This site (Site) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms, including Baker & McKenzie LLP). Use of this site does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All information on this Site is of general comment and for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulation and practice are subject to change. The information on this Site is not offered as legal or any other advice on any particular matter, whether it be legal, procedural or otherwise. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any information provided in this Site. Baker McKenzie, the editors and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the contents of this Site. Attorney Advertising: This Site may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Site may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. All rights reserved. The content of the this Site is protected under international copyright conventions. Reproduction of the content of this Site without express written authorization is strictly prohibited.